James Clapper, Director of National Intelligence, testifies alongside CIA Director John Brennan, during a US House Committee on Intelligence hearing on Capitol Hill in Washington, DC, Sept. 10, 2015. The committee held the hearing to examine worldwide cyber threats. (Photo Credit: Saul Loeb/AFP/Getty Images)
The industrial control systems (ICS) that run the United States’ critical infrastructure have been targeted by Russian threat actors, according to Director of National Intelligence James Clapper.
In a statement made last week on worldwide cyber threats before the House Permanent Select Committee on Intelligence, Clapper warned of the increasing threat to national and economic security, and the expansion of attack methods, targeted systems and victims.
“Politically motivated cyber attacks are now a growing reality, and foreign actors are reconnoitering and developing access to US critical infrastructure systems, which might be quickly exploited for disruption if an adversary’s intent became hostile. In addition, those conducting cyber espionage are targeting US government, military, and commercial networks on a daily basis,” the US intel chief said.
Clapper has raised concerns about the cyber capabilities of nation states such as Russia, China, Iran and North Korea, and the threat posed by profit-driven cybercriminals, terrorists and other politically-motivated groups.
The official has cited computer security studies stating that Russian cyber actors are developing means to remotely hack the ICS used to manage critical infrastructures.
“Unknown Russian actors successfully compromised the product supply chains of at least three ICS vendors so that customers downloaded malicious software (‘malware’) designed to facilitate exploitation directly from the vendors’ websites along with legitimate software updates, according to private sector cyber security experts,” Clapper said.
ICS-CERT revealed in March that a total of 245 ICS incidents were reported to the organization in 2014, over half of which involved advanced persistent threats (APTs). A report published by threat intelligence firm Recorded Future last week showed that the number of ICS vulnerabilities and the number of exploits available for these vulnerabilities has increased considerably since the 2011 Stuxnet operation targeting Iran’s nuclear facilities.
“There are many attack vectors for penetrating ICS systems, with unfortunately many of them hiding in clear sight. Our recent research on ICS vulnerabilities shows that things are not improving and that the ICS vendors have much left to do,” Christopher Ahlberg, CEO of Recorded Future, told SecurityWeek on Wednesday. “The actual ICS vendors are likely one of the best attack vectors, be it their software, support services, or websites, and it is not surprising that foreign actors would use this tactic.”
Martin Jartelius, CSO of vulnerability management company Outpost24, has reported vulnerabilities to 15 ICS vendors over the past period. Jartelius has pointed out that Russia is different from other nations when it comes to cyber preparedness with regards to SCADA (supervisory control and data acquisition) systems. The expert says there are only hundreds of standard industrial control systems deployed in Russia, while in Europe and the United States there are thousands of such systems.
“Infiltrating systems in the deployment phase is attractive as this does not require the devices themselves to be vulnerable. As SCADA systems generally are very poorly maintained, with patch penetrations bordering towards 0% when we have been able to observe penetration on the market. The intentions apart from directly affecting those systems as means in a conflict, they are often deployed on networks from where they can reach other internal resources,” Jartelius told SecurityWeek. “Being able to infect devices which are likely to spend 10 to 20 years on a network largely unmaintained is one of the most stable sources of persistence an actor can obtain. This means the devices not only provide means of controlling critical infrastructure in other nations, it is also a means of obtaining access to other internal resources for an extended period of time.”
“We have already seen USB-devices shipped with malware straight out of the factory, just as we have seen CD’s from magazines with malware during the 90’s. Affecting devices in the production line is of course equally tempting to actors from Russia as it is for the NSA,” Jartelius added. “A state actor focusing on monitoring citizens has different requirements from a nation building its cyber arms arsenal. Where the NSA had a focus on networking equipment and traffic monitoring, this makes the same degree of sense from a cyber arms perspective.”
As far as supply chain security is concerned, Steven Chen, co-founder and CEO of malware detection company PFP Cybersecurity, has pointed out that the situation has been getting worse.
“While the example given [by Clapper] is about the software updates, there are many other supply chain risks such as hardware Trojans, firmware hacks, counterfeits, etc. It’s an insidious problem that is going to require new solutions which offer ‘security from cradle to grave.’ Protecting ICS is particularly challenging given the variety of systems and software, many of the systems being especially old and vulnerable,” Chen said via email.
Steve Durbin, managing director of the Information Security Forum, believes that one of the main challenges in securing the supply chain is identifying the sources of risk.
“Accelerating trends of supply chain globalization and outsourced manufacturing and distribution have combined to increase the pace of change, complexity, and risk for brand owners. These trends have created a fundamental shift in the way companies of all sizes plan, source, make, and deliver their goods and services,” Durbin said.
“Supply chains are difficult to secure, they create risk that is hard to identify, complicated to quantify and costly to address. A compromise anywhere in the supply chain can have just as much impact on your organization, and its reputation, as one from within the organization,” Durbin added. “There’s a great necessity to track everything that is happening in the supply chain as even the smallest supplier or the slightest hiccup can have dangerous impact on your business. Brand management and brand reputation are subject to the supply chain and therefore are constantly at stake.”
Ed Powers, National Managing Partner of Deloitte Cyber Risk Services, agrees with Clapper’s approach.
“From the work we are doing with private and public sector clients, Chief Clapper’s approach to cyber threats is spot on as their perpetual nature requires a risk-based management approach. You have to be secure, vigilant, and resilient – you have to manage cyber like any other threat to your business or operation. The complexity and rate of change within today’s technology environments, coupled with the more sophisticated, targeted and persistent nature of cyber attackers’ campaigns, means that organizations need to be much more focused on the threats that matter most to their organizations,” Powers told SecurityWeek.
“Most companies today invest in prudent security controls. But in tomorrow’s complex, connected ecosystems, new vulnerabilities will be created as fast as old ones are addressed. There will always be an element of cyber risk with growth and innovation. Managing cyber risk is not just a cost to the business, but a positive investment to enable the success of strategic growth and performance initiatives,” the expert added.